b'Report No. D-2009-086           June 9, 2009\n\n\n\n\n         Controls Over the Contractor\n        Common Access Card Life Cycle\n           in the Republic of Korea\n\x0cAdditional Information and Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing by phone (703) 604-9142 (DSN 664-9142), by fax (703) 604-8932, or by mail:\n\n                      ODIG-AUD (ATTN: Audit Suggestions)\n                      Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                      Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nCAC                           Common Access Card\nCVS                           Contractor Verification System\nDEERS                         Defense Enrollment Eligibility and Reporting System\nDMDC                          Defense Manpower Data Center\nDoD IG                        Department of Defense Inspector General\nFKAQ                          USFK Assistant Chief of Staff, Acquisition Management\nGS                            General Schedule\nJPAS                          Joint Personnel Adjudication System\nNACI                          National Agency Check with Inquiries\nRAPIDS                        Real-Time Automated Personnel Identification System\nRO                            Responsible Officer\nSOFA                          Status of Forces Agreement\nTA                            Trusted Agent\nTASM                          Trusted Agent Security Manager\nUSD(P&R)                      Under Secretary of Defense for Personnel and Readiness\nUSFK                          United States Forces Korea\n\x0c                                    INSPECTOR GENERAL\n                                   DEPARTMENT OF DEFENSE\n                                    400 ARMY NAVY DRIVE\n                               ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n                                                                              June 9, 2009\n\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR PERSONNEL\n                AND READINESS\n               COMMANDER, UNITED STATES FORCES KOREA\n               DIRECTOR, DEFENSE MANPOWER DATA CENTER\n\nSUBJECT: Controls Over the Contractor Common Access Card Life Cycle in the\n         Republic of Korea (Report No. D-2009-086)\n\n\nWe are providing this report for review and comment. We considered comments on a\ndraft of this report from the Director, Defense Manpower Data Center in preparing the\nfinal report. This report is the second in a series on controls over Common Access Cards\nfor contractors.\n\nThe Commander, United States Forces Korea did not provide comments on the draft\nreport. DoD Directive 7650.3 requires that all recommendations be resolved promptly.\nWe request the Commander to provide comments on the [mal report by July 9, 2009.\n\nCopies of your comments must have the actual signature of the authorizing official for\nyour organization. We are unable to accept the / Signed / symbol in place of the actual\nsignature. If you arrange to send classified comments electronically, you must send them\nover the SECRET Internet Protocol Router Network (SIPRNET).\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at\n(703) 604-8905 (DSN 664-8905).\n\n\n\n                                             r~/~\n                                             PaulParanetto\n                                             Principal Assistant Inspector General\n                                             for Auditing\n\x0c\x0cReport No. D-2009-086 (Project No. D2007-D000LA-0199.003)                             June 9, 2009\n\n\n               Results in Brief: Controls Over the\n               Contractor Common Access Card Life Cycle\n               in the Republic of Korea\n\nWhat We Did                                              What We Recommend\nWe determined whether controls over Common               The Commander, United States Forces Korea\nAccess Cards (CACs) provided to contractors in           should improve and issue additional guidance to\nKorea are in place and working as intended.              ensure that an appropriate Responsible Officer\nSpecifically, we evaluated whether DoD                   is selected, that all contractors requiring a CAC\nofficials approved and periodically reverified           to work in Korea obtain approval from the\nthe need for CACs using the Contractor                   United States Forces Korea Acquisition\nVerification System (CVS) and issued and                 Management Office, that CAC expiration dates\nrecovered CACs in accordance with DoD                    are consistent with supporting documentation,\npolicies and procedures. Information from the            that personnel approving CACs verify the\nDefense Manpower Data Center indicated there             initiation of background checks, and that\nwere approximately 2,300 contractors with                terminated CACs are properly recovered.\nactive CACs issued in Korea as of August 31,\n2008. This report is the second in a series on           The Director, Defense Manpower Data Center\nCACs issued to contractors.                              should establish system controls to prevent CVS\n                                                         operators from sponsoring contractors until the\nWhat We Found                                            operators have taken the required training, and\nAlthough supporting documentation for CACs               clarify guidance on the types of identification\nissued to contractors in Korea was generally             cards to issue.\navailable, we identified the following internal\ncontrol weaknesses and areas where additional            Recommendations in DoD Inspector General\nguidance could improve the administration of             Report D-2009-005, \xe2\x80\x9cControls Over the\ncontractor CACs:                                         Contractor Common Access Card Life Cycle,\xe2\x80\x9d\n                                                         October 10, 2008, to improve policies and\n\xef\x82\xb7 18 of 38 CVS operators interviewed had not\n                                                         procedures are being implemented and are not\n    taken the required training.\n                                                         repeated in this report.\n\xef\x82\xb7 Expiration dates for CACs were not always\n    consistent with supporting documentation.\n\xef\x82\xb7 24 of 37 Trusted Agent sponsors of\n                                                         Management Comments and\n    contractors approved issuance of CACs                Our Response\n    without verifying the initiation of the              The Commander, United States Forces Korea\n    required background investigation.                   did not provide comments on the draft report,\n\xef\x82\xb7 Guidance for officials who approve and                 dated March 13, 2009. We request the\n    issue CACs was not always clear on what              Commander to provide comments on the final\n    type of identification cards should be issued.       report by July 9, 2009. The Director, Defense\n\xef\x82\xb7 56 of the 168 terminated CACs for                      Manpower Data Center provided responsive\n    contractors in our sample could not be               comments to the recommendations and is\n    accounted for.                                       implementing corrective actions. The Director\nRevising existing policy and issuing additional          also provided comments on the finding. See the\nguidance will strengthen controls over                   recommendations table on page ii.\ncontractor CACs in Korea.\n                                                     i\n\x0cReport No. D-2009-086 (Project No. D2007-D000LA-0199.003)                June 9, 2009\n\nRecommendations Table\nManagement                        Recommendations           No Additional Comments\n                                  Requiring Comment         Required\nCommander, United States Forces   1.\nKorea\nDirector, Defense Manpower Data                             2.\nCenter\n\nPlease provide comments by July 9, 2009\n\n\n\n\n                                             ii\n\x0cTable of Contents\n\nResults in Brief                                                 i\n\nIntroduction                                                     1\n\n       Objectives                                               1\n       Background                                               1\n       Review of Internal Controls                              3\n\nFinding. Common Access Cards Issued to Contractors in Korea      4\n\n       Management Comments on the Finding and Our Response      13\n       Recommendations, Management Comments, and Our Response   14\n\n\nAppendix\n\n       Scope and Methodology                                    16\n              Prior Coverage                                    18\n\n\nManagement Comments\n\n\n       Defense Manpower Data Center                             19\n\x0c\x0cIntroduction\nObjectives\nThe overall objective of this audit was to determine whether controls over Common\nAccess Cards (CACs) provided to contractors in the Republic of Korea (Korea) were in\nplace and working as intended. Specifically, we determined whether DoD officials\nissued CACs to contractors according to the requirements of the Contractor Verification\nSystem (CVS), verified the continued need for contractors to possess CACs, and revoked\nand recovered CACs from contractors in accordance with DoD policies and procedures.\nSee the Appendix for a discussion of the scope and methodology and prior coverage\nrelated to the objectives.\n\nBackground\nIn October 2000 DoD began issuing CACs to active-duty personnel, reserve personnel,\ncivilian employees, and eligible contractors. DoD personnel and eligible contractors use\nCACs as a general identification card and to gain access to DoD resources, installations,\nand sensitive information. In addition, CACs allow DoD personnel and eligible\ncontractors to electronically sign and send encrypted e-mails to facilitate daily business\nactivity. Under the Geneva Conventions, the CAC also serves as an identification card\nfor civilians and contractors who accompany the Armed Forces during a conflict, combat,\nor contingency operation.\n\nContractor CAC Life Cycle\nThe contractor CAC life cycle consists of four phases: application and approval, issuance,\nreverification, and revocation and recovery. The application and approval phase begins\nwhen a contractor requests a CAC through CVS. After the sponsor, the Trusted Agent\n(TA), approves the application in CVS, the contractor reports to a Real-Time Automated\nPersonnel Identification System (RAPIDS) site to be issued a CAC. After issuance, a TA\nmust verify every 180 days that the contractor still needs a CAC. When the contractor no\nlonger needs or is authorized a CAC, the CAC is revoked and recovered. Finally,\nRAPIDS personnel send the recovered CACs they receive from TAs or RAPIDS sites to\nthe Defense Manpower Data Center (DMDC) for destruction.\n\nSystems Used To Process Contractor CACs\nA memorandum from the Under Secretary of Defense for Personnel and Readiness\n(USD[P&R]) titled, \xe2\x80\x9cDEERS/RAPIDS Lock Down for Contractors,\xe2\x80\x9d November 10, 2005\n(hereafter the USD[P&R] Memorandum), mandated the use of CVS to apply for and\nauthorize a contractor CAC commencing in July 2006. CVS is a Web-based system that\nfeeds information on approved contractors into the Defense Enrollment Eligibility and\nReporting System (DEERS), the central repository for information collected about DoD\npersonnel and their authorized beneficiaries. However, DMDC did not enforce this\nmandate until the end of October 2008, when a program change to the RAPIDS software\nprevented operators from issuing CACs to contractors who could not be verified through\n\n\n\n                                            1\n\x0cCVS. RAPIDS is a system that retrieves contractor records from DEERS and prints the\ninformation on CACs for issuance.\n\nThe DMDC Contractor Verification System User Manual (hereafter the CVS User\nManual), Version 2.0, December 2008,1 requires a TA, a U.S. citizen and Government\nemployee sponsoring a contractor, to use CVS to approve the application of a contractor\nneeding to obtain a CAC. The TA must do the following.\n\n    \xef\x82\xb7   Establish the contractor\xe2\x80\x99s affiliation with the Government through contract\n        requirements in accordance with the Federal Information Processing Standards\n        Publication 201-1, \xe2\x80\x9cPersonal Identity Verification (PIV) of Federal Employees\n        and Contractors,\xe2\x80\x9d March 2006.\n    \xef\x82\xb7   Establish the contractor\xe2\x80\x99s need for logical and physical access and the duration of\n        access to DoD networks or facilities.\n    \xef\x82\xb7   Verify that contractors have had required background checks initiated.\n\nPrevious Audit Findings and Recommendations\nDepartment of Defense Inspector General (DoD IG) Report D-2009-005, \xe2\x80\x9cControls Over\nthe Contractor Common Access Card Life Cycle,\xe2\x80\x9d October 10, 2008, the first report in\nthis series, found that contractor CACs were not consistently approved, issued, reverified,\nrevoked, or recovered across DoD.\n\n    \xef\x82\xb7   Government sponsors had inadequate evidence to link contractors to a contract or\n        justify a CAC expiration date.\n    \xef\x82\xb7   Some contractors received CACs without undergoing the appropriate background\n        checks.\n    \xef\x82\xb7   RAPIDS personnel changed information approved by Government sponsors.\n    \xef\x82\xb7   DoD did not always recover revoked contractor CACs.\n    \xef\x82\xb7   The Army did not provide adequate oversight of thousands of CACs issued to\n        contractors deploying to Southwest Asia.\n\nOverall, the CAC life-cycle weaknesses found posed a potential national security risk that\ncould allow unauthorized access to DoD resources, installations, and sensitive\ninformation. To tighten controls over contractor CACs, the report recommended\nimplementing improved DoD policies, procedures, and oversight as well as additional\nsystem controls over CVS and RAPIDS.\n\nThe Office of the Secretary of Defense and the Army generally agreed with our\nrecommendations and began making improvements in policies and controls. In this\nreport we do not duplicate recommendations made in the prior report. However, we will\ncontinue to monitor actions proposed by DoD to ensure their implementation.\n\n\n\n1\n The DMDC CVS User Training Guide, Version 1.9.2, August 2007, which was in force during the audit\nperiod, had similar guidance.\n\n\n                                                 2\n\x0cReview of Internal Controls\nWe identified internal control weaknesses in the administration of contractor CACs\nrelated to the training of CVS operators, verification of contractor background checks,\nand accountability for terminated CACs. Actions taken or planned by DoD in response\nto DoD IG Report D-2009-005 should correct most of the problems except that DMDC\nneeds to establish a date by when it will prohibit personnel from becoming CVS\noperators if they have not taken the required training. To further strengthen controls over\nverification of contractors\xe2\x80\x99 backgrounds and accountability for terminated CACs, USFK\nshould implement Recommendation 1., parts d. and e. We will provide a copy of the\nfinal report to the senior official for internal controls at USFK.\n\n\n\n\n                                             3\n\x0cFinding. Common Access Cards Issued to\nContractors in Korea\nAlthough supporting documentation for CACs issued to contractors working in Korea\nwas generally available, we identified the following internal control weaknesses and\nareas where additional guidance could improve the administration of contractor CACs.\n\n    \xef\x82\xb7   At least 18 of 38 CVS operators interviewed had not taken the required training.\n    \xef\x82\xb7   Expiration dates for CACs issued in Korea did not always agree with supporting\n        documentation.\n    \xef\x82\xb7   24 of 37 TA sponsors of contractors approved issuance of CACs without\n        verifying the initiation of the required background investigation.\n    \xef\x82\xb7   Nine contractors in our sample received the wrong type of identification card.\n    \xef\x82\xb7   Of 168 terminated CACs associated with our sample of contractors in Korea,\n        56 were not properly accounted for.\n\nThe weaknesses identified increase the risk of unauthorized access to DoD resources,\ninstallations, and sensitive information. Establishing and implementing the DoD-wide\npolicy, procedures, and controls recommended in the prior DoD IG report on the\ncontractor CAC life cycle; clarifying DMDC guidance regarding the correct types of\nidentification cards to issue; and issuing additional policy guidance and controls for\nUSFK will strengthen controls over contractor CACs in Korea.\n\nAnalysis of CAC Data\nTo review controls over CAC applications and CACs issued in Korea, we requested data\nfrom DMDC on CAC applications entered in CVS and on CACs issued from RAPIDS\nsites in Korea for the year ended August 31, 2008. We combined these two data sets to\nestablish a universe of contractors to review. After we selected a random sample of\ncontractors, we determined that DMDC had incorrectly included dependents of\ncontractors (who were not issued CACs) and contractors not associated with Korea in the\npopulations provided. Therefore, we are unable to project from our sample to the total\npopulation. However, we believe that the results of our review are representative of\nprocedures and conditions related to CACs applied for and issued to contractors in Korea.\nWe selected a random sample of 177 contractors from a data population of\n2,601 contractor records representing contractors who had applied for or obtained CACs\nin Korea during the audit period.2 See the Appendix for additional details regarding the\ndata populations and sample selection.\n\nTraining for CVS Operators\nThe CVS User Manual requires CVS operators, known as Trusted Agent Security\nManagers (TASMs) and TAs, to complete annual certification training courses in order to\n\n\n2\n  Some contractors were issued more than one CAC during the period because a previous CAC was\nterminated.\n\n\n                                                 4\n\x0caccess CVS and perform their duties. However, CVS was not set up to prevent TASMs\nand TAs from logging on to CVS before completing the required training. Interviews\nwith 38 TASMs and TAs in Korea associated with the contractors in our sample indicated\n18 (47 percent) had not taken the required certification training. The lack of training\nsometimes caused problems for TASMs and TAs in performing their required functions,\nas the following examples illustrate.\n\n   \xef\x82\xb7   A TASM did not know how to transfer contractors to a new TA when the\n       previous TA moved to another position. Therefore, instead of reassigning\n       contractors, the TASM created new applications under his account.\n   \xef\x82\xb7   A TA did not use CVS to sponsor contractors who possessed CACs from prior\n       years, and did not reverify these CACs as required.\n   \xef\x82\xb7   A TA cut up recovered CACs and disposed of them instead of turning them in to a\n       RAPIDS site, as required.\n   \xef\x82\xb7   A TA gave his CVS username and password to his predecessor to use in\n       completing a contractor application because the new TA had not taken the\n       required training and was unfamiliar with CVS.\n\nDMDC personnel stated that, beginning in January 2009, CVS operators started receiving\nwarnings when logging on to the system if they had not completed the required training.\nHowever, to further strengthen this control, DMDC should modify CVS to prohibit TAs\nand TASMS from logging on to CVS if they have not completed the required\ncertification training. DMDC personnel stated that they planned to implement this\ncontrol.\n\nCAC Application and Approval\nIn accordance with the Federal Information Processing Standards Publication 201-1 and\nthe CVS User Manual, the TA must establish the contractor\xe2\x80\x99s affiliation with the\nGovernment and the person\xe2\x80\x99s need for logical and physical access. We were able to\nobtain sufficient documentation to support DoD affiliation for 170 of 177 contractors in\nour sample. However, for the remaining seven contractors, we could not verify affiliation\nwith DoD for the following reasons.\n\n   \xef\x82\xb7   A TA completed a CVS application for a contractor based on an e-mail from\n       another contractor rather than verifying the contractor\xe2\x80\x99s affiliation with the\n       Government.\n   \xef\x82\xb7   The TAs for two contractors could not provide any evidence of why the\n       contractors received CACs in Korea. The CACs for both contractors had been\n       terminated before our audit began.\n   \xef\x82\xb7   Three contractors were not in CVS, and no documentation was available to\n       support their CACs.\n   \xef\x82\xb7   The TA for one contractor, a Korean national, could not provide adequate support\n       for issuing her a CAC.\n\nAs for the 170 contractors whose affiliation with DoD we were able to confirm, sufficient\ndocumentation was often available because many TAs were also the Responsible Officers\n\n\n                                           5\n\x0c(ROs) for their contracts. The TAs for 91 contractors also functioned as ROs (or direct\nsubordinates), overseeing contactors closely. These TAs had ready access to information\nthey needed to determine contractors\xe2\x80\x99 affiliation with DoD and need for CACs.\nAccording to USFK Regulation 700-19, \xe2\x80\x9cThe Invited Contractor and Technical\nRepresentative Program,\xe2\x80\x9d3 June 4, 2007, ROs should be geographically and functionally\nsituated to enable direct personal contact with the contractor being sponsored, certify the\ncontractor\xe2\x80\x99s entitlements to logistics support, and maintain the supporting documentation.\nIf USFK had a policy requiring ROs or their direct subordinates to be TAs for contractors\nworking in Korea, when practical, USFK could strengthen controls over approval and\nmonitoring of contractor CACs.\n\nUSFK Regulation 700-19 requires approval from the Office of the Assistant Chief of\nStaff for Acquisition Management (FKAQ) and the Status of Forces Agreement (SOFA)4\nJoint Committee before invited contractors to Korea are granted SOFA status. SOFA\nstatus normally entitles invited contractors who are \xe2\x80\x9cordinarily\xe2\x80\x9d residents of the United\nStates to logistical support privileges. This regulation further requires the sponsoring\nagency or RO to submit for FKAQ approval a copy of the contract information, a letter of\naccreditation, and an Invited Contractor and Technical Representative Personnel Data\nReport (USFK Form 700-19A-R-E). Upon approval, the contractor takes the required\nforms to the RAPIDS site to obtain an Identification and Privilege CAC. A CAC with\nprivileges entitles the contractor to logistical support, which normally includes access to\nthe post or base exchange; Morale, Welfare, and Recreation facilities; and the\ncommissary.\n\nUSFK Regulation 700-19 requires contractors needing an identification card, logistical\nsupport, and SOFA status to prepare and submit to FKAQ a USFK Form 700-19A-R-E\nthat has been approved by the contractor\xe2\x80\x99s RO. FKAQ maintains this documentation,\nwhich enabled us to verify the Government affiliation of many contractors if the TA did\nnot have the documents or was unavailable for interview. However, not all contractors\nneeding a CAC go through FKAQ. Contractors hired from the pool of retired military\npersonnel and dependents of invited contractors, military, or civilian personnel assigned\nto Korea sometimes do not go through FKAQ because they already have an identification\ncard to access facilities on the military installation. Also, U.S. citizens and third-country\nnationals who are residents of Korea working on a contract supporting USFK are not\nnecessarily eligible to receive an Identification and Privilege CAC and might not obtain\napproval from FKAQ. An FKAQ official stated that this limitation has also hindered\nassessment of the contractor population for a potential noncombatant evacuation\noperation.\n\n\n\n3\n  For audit purposes, we did not differentiate between an invited contractor and a technical representative.\nSome technical representatives were contractors. Others were representatives for commercial companies.\nIf these individuals needed CACs, they would use CVS.\n4\n  The SOFA is an international agreement between the United States and Korea envisaged by Article IV of\nthe United States Republic of Korea Mutual Defense Treaty. The SOFA discusses facilities, areas, and the\nstatus of the U.S. Armed Forces in Korea.\n\n\n                                                      6\n\x0cFKAQ personnel stated that USFK may revise the regulation to extend its applicability to\nevery contractor performing services for USFK in Korea. We support this planned\nrevision to require FKAQ approval for all contractors working in Korea to obtain a CAC.\nOnce revised, the regulation will also help document validation of contractor CACs.\n\nCAC Expiration\nA memorandum signed by USD(P&R) and the DoD Chief Information Officer titled\n\xe2\x80\x9cCommon Access Card (CAC)-Changes,\xe2\x80\x9d April 18, 2002, allows CACs to be issued for\n3 years or the individual\xe2\x80\x99s term of service, employment, or association with DoD,\nwhichever is shorter. USD(P&R) Directive-Type Memorandum 08-003, \xe2\x80\x9cNext\nGeneration Common Access Card Implementation Guidance,\xe2\x80\x9d December 1, 2008,\nupdated the 2002 guidance. The new memorandum allows a CAC to be issued for the\nduration of the contract, including unfunded options up to 3 years. (In Korea a CAC is\nnormally issued for the funded portion of the contract, usually 1 year or less.)\n\nHowever, neither TAs nor RAPIDS operators used consistent criteria for entering the\nCAC expiration date in CVS or RAPIDS. Although the expiration of most CACs was\nbased on the funded portion of the contract as shown on USFK Form 700-19A-R-E,\nCACs for 62 contractors in our sample expired 30 days after the contract expiration date\nshown on the form. Such inconsistencies occurred because CVS and RAPIDS operators\ndid not have clear guidance for CAC operations in Korea. Operators allowed the extra 30\ndays in accordance with USFK Regulation 700-19, which states that a contractor\xe2\x80\x99s status\nshall automatically be withdrawn 30 days after termination of a contract. The extra days\nwere given for a contractor to renew the CAC based on new contract funding or leave\nKorea.\n\nIt is reasonable to allow a contractor some time to renew a CAC after the funded portion\nof a multiyear contract expires. However, there is no basis for extending the expiration\nof a CAC by 30 days for a completed contract. Therefore, USFK should clarify guidance\nto all TAs in Korea emphasizing that the expiration date for a contractor CAC should not\nbe later than the completion of a contract.5 USFK may also wish to issue CACs for up to\n3 years for contractors on multiyear contracts as allowed by Directive-Type\nMemorandum 08-003.\n\nContractor Background Investigations\nOf the 37 TAs interviewed during the audit, 24 did not verify the status of contractors\xe2\x80\x99\nbackground checks. Some of the reasons TAs gave for not verifying that a background\ninvestigation had been initiated were the following.\n\n    \xef\x82\xb7   They believed some other USFK organization or the contractor had this\n        responsibility.\n    \xef\x82\xb7   The contractor did not work on classified material.\n\n\n\n5\n Guidance is not needed for RAPIDS operators because system changes completed in November 2008\nprevent RAPIDS operators from changing the expiration shown in CVS when issuing a CAC.\n\n\n                                                7\n\x0c   \xef\x82\xb7   They did not know what they were supposed to do.\n   \xef\x82\xb7   They were unaware that a National Agency Check with Inquiries (NACI), or the\n       equivalent, must be initiated before the issuance of a CAC.\n\nWe used the Joint Personnel Adjudication System (JPAS), which provides real-time\ninformation regarding security clearances, access, and investigative status, to check the\nstatus of background investigations for contractors. According to information in JPAS,\nno NACI had been initiated for 50 of the 177 contractors in our sample. After we issued\nthe draft report, we learned that JPAS may not contain information on background\ninvestigations for some contractors who do not require access to classified information.\nTherefore, the number of contractors with CACs who did not have a NACI initiated is not\ncertain. However, our interviews with TAs responsible for verifying that background\ninvestigation requirements have been met indicate that contractors can obtain CACs\nwithout going through the required investigations.\n\nThe CVS User Manual provides no guidance to the TA on how to determine whether a\nproper background check has been initiated. In addition, CVS does not require TAs to\nindicate contractor\xe2\x80\x99s background status when completing the CVS application. In fact, the\nsystem contains no field to indicate the status of a background check.\n\nFederal Information Processing Standard 201-1 requires contractors seeking a CAC to\nhave an initiated NACI or an equivalent background investigation. At a minimum, the\nFederal Bureau of Investigation National Criminal History Check (fingerprint check)\nmust be completed before a CAC can be issued. DoD Regulation 5200.08-R, \xe2\x80\x9cPhysical\nSecurity Program,\xe2\x80\x9d April 9, 2007, also requires a NACI or an equivalent investigation for\npermanent issuance of the CAC.\n\nDoD IG Report D-2009-005 raised a similar issue regarding the need for specific\nbackground investigation requirements and standard procedures for confirming\nbackground checks for contractors applying for CACs. The Under Secretary of Defense\nfor Intelligence noted in response to that report that an electronic system will be deployed\nby the end of 2009 to facilitate electronic verification of background checks. The Under\nSecretary also stated that his office is working on policy guidance that will outline the\ninvestigative requirements for CAC credentialing throughout DoD. DMDC personnel\nstated during our audit that the latest version of RAPIDS interfaces with JPAS but does\nnot prevent a CAC from being issued when there is no indication of a NACI in JPAS.\n\nUSD(P&R) Directive-Type Memorandum 08-003, which was issued during our audit,\ngives further guidance on conducting background investigations of contractors, including\nan authoritative list of background investigations that are equivalent to or exceed the\nrequirements of a NACI, and actions that should be taken by Government sponsors of\ncontractors requiring a CAC. However, until DMDC implements a system change\nprohibiting CACs from being issued to contractors for whom a NACI has not been\ninitiated, USFK should provide guidance for TAs, outlining standard procedures to\nconfirm that a NACI (or equivalent investigation) has been initiated, as required by\nFederal and DoD regulations. Such procedures could require TAs to obtain contractor\n\n\n\n                                             8\n\x0cverification that a NACI has been initiated, or to verify the contractor\xe2\x80\x99s status at the local\npersonnel security office.\n\nCAC Issuance\nBefore issuing a CAC to a contractor, RAPIDS operators should ensure at a minimum\nthat a contractor profile was established in DEERS through CVS and that the CAC, as\nissued, correctly reflects the duration of the contractor\xe2\x80\x99s work and the benefits the\ncontractor is entitled to.\n\nData Source for DEERS Profile\nThe USD(P&R) Memorandum designated CVS as an authorized source of contractor\xe2\x80\x99s\ndata to be fed into DEERS as of July 31, 2006. However, at the time of our review, not\nall contractor CACs had been entered in CVS. For example, a TA stated that she did not\nuse CVS to manage contractors needing to receive new CACs if the contractors received\ntheir original CACs before CVS implementation. According to the CVS User Manual, a\nTA should use CVS to sponsor applicants who have previously had CACs. In another\ninstance, a TA did not use CVS to authorize a CAC because he thought that use of CVS\nwas not required for a Korean subcontractor of a contractor authorized and invited by\nUSFK.\n\nIn both instances, RAPIDS operators issued CACs to contractors who were not entered in\nCVS because the lock down mandated by the USD(P&R) Memorandum had not taken\nplace. According to DMDC, during November 2008, a system control was added to\nRAPIDS that prevents RAPIDS operators from issuing a CAC to any contractor without\nCVS verification. Therefore, we are not making any recommendation regarding the use\nof CVS for approving CACs.\n\nTypes of Identification Cards\nOf 177 contractors in our sample, 9 received inappropriate identification cards because\nguidance for TAs and RAPIDS operators was not clear about the type of identification\ncard to issue.\n\nIdentification and Privilege CACs\nIdentification and Privilege CACs were issued to two entertainers and four summer-hire\nstudent contractors who came to Korea to work under contracts supporting Morale,\nWelfare, and Recreation for less than 3 months. (The audit universe from DMDC also\nincluded 30 student contractors who received CACs but needed only physical access to\nDoD facilities for less than 3 months.) The entertainers and students were ineligible for a\nCAC based on:\n\n   \xef\x82\xb7   Air Force Instruction 36-3026(I), \xe2\x80\x9cIdentification Cards for Members of the\n       Uniformed Services, Their Eligible Family Members, and Other Eligible\n\n\n\n\n                                              9\n\x0c        Personnel,\xe2\x80\x9d6 December 20, 2002, and USD(P&R) Directive-Type\n        Memorandum 08-003, which state that an Identification and Privilege CAC is\n        issued to contractors who are stationed or employed overseas for 365 days or\n        more; and\n\n    \xef\x82\xb7   USD(P&R) Directive-Type Memorandum 08-003, which further states that\n        contractors are eligible for a CAC when they require physical access to multiple\n        Government facilities on a recurring basis for at least 6 months or require both\n        physical and logical access to DoD installations and networks.\n\nAccording to the sponsoring TAs, these contractors did not need and were not given\naccess to DoD networks. Without a need for physical access for 6 months or the need for\nboth physical and logical access, these individuals should not have received CACs.\nRather they should have been issued a base pass and an appropriate ration card to obtain\naccess to USFK facilities. This was also the case of a contractor who was issued an\nIdentification CAC for 13 days. None of those seven contractors were eligible for any\ntype of CAC.\n\nTo ensure that only eligible contractors receive CACs and that they receive the correct\ntype of CAC, TAs and RAPIDS operators must be able to determine who is eligible for a\nCAC and for what type of a CAC. However, the CVS User Manual does not list specific\ncriteria for CAC eligibility; it states only that TAs must establish a contractor\xe2\x80\x99s need for\nphysical and logical access. Also, the RAPIDS User Guide issued by DMDC, while\nstating that contractors are eligible for an Identification and Privilege CAC when going\non assignment overseas, is not clear about the duration of overseas assignments required\nfor a contractor to obtain an Identification and Privilege CAC. Because TAs and\nRAPIDS operators use the CVS User Manual and RAPIDS User Guide as references for\ntheir CAC operations, those documents should state the eligibility requirements for each\ntype of CAC to ensure compliance with DoD guidance.\n\nGeneva Conventions CACs\nGeneva Conventions CACs should be issued to \xe2\x80\x9cemergency essential\xe2\x80\x9d contractors\naccompanying and supporting the Armed Forces during a conflict, combat, or\ncontingency operation. However, RAPIDS operators issued Geneva Conventions CACs\nto two contractors in our sample who were not identified as emergency essential, partly\nbecause the RAPIDS User Guide was not clear about the eligibility for a Geneva\nConventions CAC. The RAPIDS User Guide states that contractors accompanying forces\noverseas for more than 1 year are entitled to a Geneva Conventions CAC, but does not\nstate what constitutes contingency conditions. To ensure that only eligible contractors\nreceive the benefits under the Geneva Conventions agreement, the RAPIDS User Guide\nneeds to provide clear guidance for RAPIDS operators to determine who is eligible for a\nGeneva Conventions CAC.\n\n\n6\n  Air Force Instruction 36-3026(I) is a joint service regulation, also referred to as Army\nRegulation 600-8-14, Bureau of Naval Personnel Instruction 1750.10B, Marine Corps Order P5512.11C,\nand Commandant Instruction M5512.1.\n\n\n                                                 10\n\x0cMisclassification of Contractors\nOf the 2,601 contractors in our audit universe, 146 contractors (5.6 percent) were\ninappropriately assigned a General Schedule (GS) pay grade because RAPIDS did not\ninclude controls to limit pay grade entries as GS-Equivalent or Other for contractors.\nMisclassification of contractors can affect their entitlements and access to information.\nContractors may receive housing available only to U.S. Government personnel and gain\naccess to sensitive information that may be restricted to Government employees.\nMisclassification of pay grade could be prevented by system controls that limit entry\noptions to the pay grade class designated for contractors. In response to DoD IG\nReport No. D-2009-005, regarding CACs erroneously showing GS pay grades, the\nUSD(P&R) stated that DMDC will modify RAPIDS so that the printed face of all\ncontractor CACs will show Other for the pay grade. Therefore, we are not making any\nrecommendation to correct misclassification.\n\nCAC Reverification\nThe CVS User Manual states that the TA should reverify a contractor\xe2\x80\x99s need for a CAC\nevery 180 days. When a contractor reaches the 150-day mark, the TA receives e-mail\nnotification from CVS to reverify the contractor\xe2\x80\x99s need for the CAC. The TA has 30\ndays after this notification to reverify, or the contractor\xe2\x80\x99s CAC will automatically be\nrevoked.\n\nUSFK has a policy whereby invited contractors working in Korea are issued a CAC only\nfor the funded portion of a contract, normally not more than 1 year. This control reduced\nthe risk of unauthorized use of CACs, compared with the multiyear contracts or the\nmaximum 3-year period allowed by DoD.\n\nThe majority of TAs interviewed stated that they took steps to reverify each contractor\xe2\x80\x99s\nemployment status; however, they did not normally maintain documentation to support\ntheir reverification. Therefore, an audit trail was not available for us to confirm that TAs\nhad assessed each contractor\xe2\x80\x99s continued need for a CAC at the time of reverification.\nHowever, as previously discussed, having a TA who is also the RO facilitates verification\nof a contractor\xe2\x80\x99s status. Requiring TAs to be ROs would further reduce the risk of\ncontractors having unauthorized CACs after their association with the Government has\nterminated.\n\nCAC Revocation and Recovery\nThe CVS User Manual states that the TA should collect and return revoked and expired\nCACs in accordance with standard procedures. Upon receipt of such CACs, the RAPIDS\nSite Security Managers return the CACs to DMDC. When DMDC receives the\nterminated CACs, DMDC updates their status in the Inventory Logistics Portal, the\nsystem for inventory and logistic management of CAC card stock. This action indicates\nthat the CACs have been revoked, recovered, and prepared for destruction.\nIn Korea, ROs are responsible for recovering CACs when contractors finish their work or\nleave Korea. USFK Regulation 700-19 requires ROs to collect and return identification\ncards to the issuing authorities. ROs must document turn-in of the identification cards on\n\n\n                                            11\n\x0cUSFK Form 700-19A-R-E, Part IV, and submit the closeout form to FKAQ. However, in\ndiscussions with us, FKAQ personnel indicated that they do not receive copies of the\ncompleted USFK Form 700-19A-R-E for contractors finishing their work or leaving\nKorea.\n\nOf the CACs issued to contractors in our sample, 168 were terminated.7 DMDC verified\nthat 112 of these CACs had been recovered and returned to DMDC. Of 56 CACs not\nreturned, only 4 were coded as lost. In responding to the draft report, DMDC stated that\nit cannot account for all CACs returned, because some CACs returned to DMDC are no\nlonger functional and are worn beyond recognition. However, in our opinion the main\ninability to account for all CACs occurred because TAs and ROs did not comply with the\nCVS User Manual or USFK Regulation 700-19. Some TAs or ROs we interviewed did\nnot even know that they were responsible for recovery of CACs. One TA stated that he\ncut up expired CACs but did not document which CACs he destroyed. Enforcing the\nrequirement for TAs to take the annual certification training should make operators aware\nof their responsibilities and provide full accountability.\n\nIn response to DoD IG Report No. D-2009-005, DMDC agreed to include a message for\ncontractors applying for a CAC in CVS, informing the applicants of their responsibility to\nreturn terminated or expired CACs to a RAPIDS facility or to specific Government\npersonnel (such as a TA). In addition, USD(P&R) agreed to implement a process to\nperiodically inform TAs when contractors have not turned in revoked CACs. USD(P&R)\nwas working on guidance requiring local commands to ensure that retrieval of CACs is\npart of the normal check-out process. When fully implemented, these actions will further\nstrengthen controls over recovery of CACs.\n\nUSFK should enforce and monitor compliance with USFK Regulation 700-19 to ensure\nCACs are properly recovered when contractors do not need them for official business\nwith the Government.\n\nCompensating Controls Over Physical Access\nTo gain access to military installations in Korea, CAC holders must register their CACs\nwith the Defense Biometric Identification System. Security personnel at the access\ncontrol point use the Defense Biometric Identification System to verify the authenticity of\nall CACs. When a CAC is suspicious or questionable, the access control point security\npersonnel verify its authenticity by using the fingerprint scan function of the system.\nTherefore, the Defense Biometric Identification System precludes possible use of invalid,\nlost, or stolen CACs for installation access. Also, to be granted access to the post or base\nexchanges and commissaries, CAC holders must present a valid CAC and a Ration\nControl Card at the same time. To obtain the Ration Control Card, contractors must\nregister in the Defense Biometric Identification System. These internal controls\n\n\n\n\n7\n Some contractors had more than one CAC terminated for various reasons, such as changes in information\nor issuance failure. Other contractors did not have a CAC that was terminated during the audit period.\n\n\n                                                  12\n\x0ccompensate for control weaknesses and reduce the risk of unauthorized access to DoD\ninstallations and privileges in Korea.\n\nConclusion\nAlthough supporting documentation for CACs issued to contractors in Korea was usually\navailable, strengthening controls and issuing additional guidance could improve the\nadministration of contractor CACs. Compensating controls, such as the use of the\nDefense Biometric Identification System and review of contracts by FKAQ, helped\nreduce the security risk. After we issued DoD IG Report D-2009-005, DoD issued\nguidance and made system changes to improve the administration of contractor CACs.\nDoD has stated that additional policy and system improvements will be forthcoming.\nThese improvements should resolve most of the weaknesses identified in this report.\nHowever, implementing the recommendations in this report should resolve the remaining\nweaknesses and further reduce potential national security risks posed by unauthorized\naccess to DoD resources, installations, and sensitive information.\n\nManagement Comments on the Finding and Our\nResponse\nDMDC Comments\nThe Director, DMDC did not believe that we had sufficient support for our\ncharacterization of the weaknesses in controls in the previous CAC audit (D-2009-005) as\na \xe2\x80\x9cpotential national security risk.\xe2\x80\x9d A specific example in the previous report regarding\nthe potential risk gave the impression that an e-mail address contained in a CAC could\nallow a contractor access to assets. A CAC is only an identification card that alone\nshould not provide its holder access to DoD networks or facilities. The requirement\nshown in DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d\nFebruary 6, 2003, to identify contractors by their e-mail addresses is assigned to network\nadministrators, who establish e-mail accounts and manage network access.\n\nThe Director stated that JPAS does not contain suitability determination information for\nindividuals who do not require access to classified information. Therefore, the DoD IG\xe2\x80\x99s\nuse of JPAS alone to verify background investigations for contractors failed to account\nfor all of the systems that contain suitability information for contractors.\n\nThe Director stated that the audit report implied that DMDC was able to account for all\nCACs that were physically returned to DMDC. However, sometimes returned CACs\ncannot be identified because they are no longer functional or are worn beyond\nrecognition.\n\nOur Response\nThe DMDC disagreement with our use of the phrase \xe2\x80\x9cpotential national security risk\xe2\x80\x9d\nwas related to a previously issued audit report. Report D-2009-005 identified numerous\ndeficiencies and gave several examples to back up the audit conclusions. The conclusion\nof the report was that \xe2\x80\x9cOverall, CAC life-cycle weaknesses pose a potential national\n\n\n                                           13\n\x0csecurity risk that may result in unauthorized access to DoD resources, installations, and\nsensitive information worldwide.\xe2\x80\x9d We consider the example cited in the DMDC\ncomments regarding contractor e-mail accounts as one of many potential weaknesses\nidentified in the previous audit report. For example, if a contractor with a DoD (.mil)\ne-mail account is not identified as a contractor, U.S. Government personnel may send the\ncontractor information that is only authorized for U.S. Government employees and could\nbe a potential national security risk.\n\nWe used JPAS as one source of information on the status of required investigations for\ncontractors. Information provided to us by DMDC after we issued the draft report\nindicates that JPAS may not have all information on the suitability determinations for\ncontractors. Therefore, we modified our report accordingly. However,\nRecommendation 1.d. remains the same because it is the TA\xe2\x80\x99s responsibility to verify\nthat a NACI has been initiated.\n\nWe did not mean to imply that DMDC could account for all CACs that were returned.\nOur audit focus was on whether TAs were properly accounting for or returning CACs\nthat were expired or invalid. We merely stated how many of the terminated CACs\nDMDC could account for. We clarified our report to indicate that some returned CACs\ncannot be identified because they cannot be read.\n\nRecommendations, Management Comments, and Our\nResponse\n1. We recommend that the Commander, United States Forces Korea:\n\n       a. Require a Responsible Officer or a direct subordinate to be the Trusted\n       Agent for contractors sponsored in Korea, when practical.\n\n       b. Revise United States Forces Korea Regulation 700-19 to require all\n       contractors working in Korea who require a Common Access Card to obtain\n       approval from the Office of the Assistant Chief of Staff, Acquisition\n       Management.\n\n       c. Issue guidance to Trusted Agents approving contractor Common Access\n       Cards in Korea emphasizing that the expiration date for the card must not\n       be later than the date of contract completion.\n\n       d. Require Trusted Agents to verify that a National Agency Check with\n       Inquiries has been initiated before they approve a contractor\xe2\x80\x99s application\n       for a Common Access Card in the Contractor Verification System.\n\n       e. Enforce and monitor compliance with United States Forces Korea\n       Regulation 700-19 to ensure contractor Common Access Cards are properly\n       recovered and turned in to the appropriate Real-Time Automated Personnel\n       Identification System site when the cards expire or are no longer needed for\n       official business with the Government.\n\n\n                                           14\n\x0cManagement Comments Required\nThe Commander, USFK did not respond to the draft report. We request the Commander\nto provide comments on the final report by July 9, 2009.\n\n2. We recommend that the Director, Defense Manpower Data Center:\n\n       a. Modify the Contractor Verification System to prohibit Trusted Agent\n       Security Managers and Trusted Agents from using the system if they have\n       not taken the required certification training.\n\nDefense Manpower Data Center Comments\nThe Director, DMDC agreed and stated that by August 2009 DMDC will require\noperators to complete certification training. After a 30-day warning period, TAs and\nTASMs who have not completed the required training will be locked out of their CVS\naccounts.\n\n       b. Clarify the Real-Time Automated Personnel Identification System User\n       Guide by listing eligibility requirements that contractors must meet for the\n       Identification and Privilege Common Access Card and the Geneva\n       Conventions Common Access Card.\n\nDefense Manpower Data Center Comments\nThe Director, DMDC agreed and stated that as of March 19, 2009, the RAPIDS 7.4 User\nGuide includes updates to clarify both eligibility and documentation requirements for\ncontractors.\n\n       c. Clarify the Contractor Verification System User Guide to help a Trusted\n       Agent determine whether or not a Common Access Card or a base pass\n       should be issued to a contractor who needs physical access to Government\n       facilities for short periods.\n\nDefense Manpower Data Center Comments\nThe Director, DMDC agreed and stated that DMDC, in coordination with the Defense\nHuman Resource Activity, will update the CVS User Guide to improve the explanation of\nCAC eligibility by August 2009.\n\nOur Response\nDMDC comments on all parts of Recommendation 2. were responsive, and no additional\ncomments are required.\n\n\n\n\n                                          15\n\x0cAppendix. Scope and Methodology\nWe conducted this performance audit from September 2008 through February 2009 in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nWe interviewed the Site Security Managers and Verifying Officials regarding their\nprocedures and operations at the 10 RAPIDS sites in Korea: U.S. Army Yongsan\nGarrison, Camp Red Cloud, Camp Stanley, Camp Casey, Camp Humphreys, Camp\nHenry, Osan Air Base, Kunsan Air Base, Chinhae Naval Base, and the Navy Personnel\nSupport Detachment at Yongsan.\n\nAt our request, DMDC provided four data sets that corresponded to each phase of the\ncontractor CAC life cycle:\n\n    \xef\x82\xb7   CVS applications associated with Korean CVS site operators or CACs issued or\n        terminated by a Korean RAPIDS Site from September 1, 2007, through\n        August 31, 2008 (application data);\n    \xef\x82\xb7   CACs issued from the Korean RAPIDS site from September 4, 2007, through\n        September 12, 2008 (issuance data);*\n    \xef\x82\xb7   CVS reverifications associated with Korean CVS site operators or CACs issued or\n        terminated by a Korean RAPIDS site from September 1, 2007, through\n        August 31, 2008; and\n    \xef\x82\xb7   CACs terminated from the Korean RAPIDS site from September 1, 2007, through\n        September 12, 2008.*\n\nAfter a preliminary review of those data sets, we decided to use the application data and\nissuance data to obtain a universe of contractors. After merging two data sets and\neliminating duplicates, we sent data on the universe of 3,568 contractors to the DoD IG\nQuantitative Methods and Analysis Division for selecting a statistical random sample of\n252 contractors. As the audit progressed, we found that the CAC issuance data provided\nby DMDC incorrectly included contractor dependents, who received dependent\nidentification cards rather than CACs. Therefore, we had to delete 967 records from the\naudit universe, reducing the population to 2,601. (Note that the audit universe is greater\nthan the number of contractors issued CACs in Korea as of August 31, 2008\n[approximately 2,300], because the audit universe included contractors who were issued\nCACs that may have terminated before August 31, 2008.) As we examined the\nsupporting documentation for CACs issued, we also found that DMDC had incorrectly\n\n\n*\n We asked DMDC for CVS and RAPIDS information for the year ended August 31, 2008. However,\nDMDC used slightly different dates, as shown above. The use of different dates did not affect our audit\nconclusions\n\n\n                                                    16\n\x0cincluded some contractors who were not issued CACs in Korea. This reportedly\nhappened because DMDC incorrectly selected contractors associated with a TA who had\nat one time been associated with Korean contractors. As a result, we reduced the sample\nto 177 contractors. Therefore, we were not able to project from our sample to the\nuniverse. Consequently, we analyzed the results for our random sample and presented\nour findings based on this analysis. However, because the contractors were selected at\nrandom, we reasonably believe that the results are representative of the universe.\n\nFor each contractor in our sample, we tested specific steps in the CAC life cycle. For\ncontractors whose applications DMDC data indicated were processed through CVS, we\nalso interviewed the TAs, if available. We interviewed 38 TASMs and TAs (many\nTASMs also functioned as TAs) responsible for sponsoring contractors in Korea to\ndetermine their functions, what training they had taken, and what type of documentation\nthey had to support CACs. Because some of the TAs did not maintain sufficient\ndocumentation, and some TAs who had sponsored contractors had left Korea, we had to\nobtain a large amount of supporting documentation from the USFK Office of the FKAQ.\nThis office is responsible for reviewing contracts to determine whether they qualify under\nthe Invited Contractor and Technical Representative Program as discussed in USFK\nRegulation 700-19.\n\nWe provided the Social Security numbers of the contractors in our sample to a DoD IG\nsecurity officer and a security officer with USFK, who reviewed information in JPAS to\ndetermine whether the required NACI background investigations on the contractors had\nbeen initiated.\n\nBecause the DoD IG issued Report D-2009-005 on controls over the CAC life cycle\nduring our audit, we also reviewed the findings, recommendations, and management\ncomments in that report; we discussed these in our report where appropriate.\n\nUse of Computer-Processed Data\nWe relied on DMDC to extract data from CVS and DEERS to identify contractors who\nobtained CACs in Korea. We did not perform a formal reliability assessment of the\ncomputer-processed data. However, we did validate computer-processed data based on\ndocumentation obtained from contracting personnel, TAs, and TASMs in Korea and\nconcluded the data used were reliable. We did not find significant errors between the\ncomputer-processed data and source documents that would preclude use of the computer-\nprocessed data or change our audit conclusions. However, as previously discussed, we\nhad to remove some individuals from the audit universe because they did not fall within\nthe scope of our audit.\n\nUse of Technical Assistance\nWe obtained assistance from the DoD IG Quantitative Methods and Analysis Division.\nThe Quantitative Methods and Analysis Division assisted in drawing a sample from a\nuniverse of contractors whose CAC cards were issued in Korea. However, we are unable\nto project from the sample to the universe because the original universe contained\nindividuals and contractors who were out of the audit scope, as previously discussed.\n\n\n                                           17\n\x0cPrior Coverage\nDuring the last 5 years, the Government Accountability Office, the DoD IG, the Naval\nAudit Service, and the Air Force Audit Agency have issued several reports discussing\nCACs. Unrestricted Government Accountability Office reports can be accessed over the\nInternet at http://www.gao.gov. Unrestricted DoD IG reports can be accessed at\nhttp://www.dodig.mil/audit/reports. Naval Audit Service reports are not available over\nthe Internet. Air Force Audit Agency reports can be accessed from .mil domains over the\nInternet at https://wwwd.my.af.mil/afknprod/ASPs/cop/Entry.asp?Filter=OO by those\nwith Common Access Cards who create user accounts.\n\nGovernment Accountability Office\nGovernment Accountability Office Report No. GAO-07-525T, \xe2\x80\x9cStabilizing and\nRebuilding Iraq: Conditions in Iraq Are Conducive to Fraud, Waste, and Abuse,\xe2\x80\x9d\nApril 23, 2007\n\nDoD IG\nDoD IG Report No. D-2009-005, \xe2\x80\x9cControls Over the Contractor Common Access Card\nLife Cycle,\xe2\x80\x9d October 10, 2008\n\nDoD IG Report No. D-2008-104, \xe2\x80\x9cDoD Implementation of Homeland Security\nPresidential Directive-12,\xe2\x80\x9d June 23, 2008\n\nNavy\nNaval Audit Service Report No. N2005-038, \xe2\x80\x9cCommon Access Card Implementation,\xe2\x80\x9d\nApril 8, 2005\n\nAir Force\nAir Force Audit Agency Report No. F2008-0005-FD2000, \xe2\x80\x9cControls Over Contractor\nIdentification,\xe2\x80\x9d April 2, 2008\n        This was a summary report based on 14 reports from bases. One of those 14 base\n        reports was for the 51st Fighter Wing at Osan Air Base, Korea.\n        Report No. F2008-0011-FBP000, \xe2\x80\x9cContractor Identification Access Controls,\xe2\x80\x9d\n        February 27, 2008\n\nAir Force Audit Report No. F 2007-0010-FB4000, \xe2\x80\x9cAir Force Use of Common Access\nCard for Physical Access,\xe2\x80\x9d August 24 2007\n       This was a summary report based on three base-level reports and audit work at 12\n       Air Force installations.\n\n\n\n\n                                          18\n\x0cDefense Manpower Data Center Comments\n\n\n\n\n                 Click to add JPEG file\n\n\n\n\n                                19\n\x0cClick to add JPEG file\n\n\n\n\n               20\n\x0c                           Final Report\n                            Reference\n\n\n\n\nClick to add JPEG file\n\n\n\n                         Revised, page 8\n\n\n\n\n                         Page 11\n\n\n\n\n               21\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Information added\n                         to clarify (see\n                         page 12)\n\n\n\n\n                         Page 17\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               22\n\x0c\x0c\x0c'